[ipv6hackers] (Remote) Neighbor Cache Exhaustion Attacks - Some Discussion

Enno Rey erey at ernw.de
Tue Mar 5 12:58:42 CET 2013


I just build a small Cisco-based lab to verify if my (potentially flawed, seriously) understanding of remote neighbor cache exhaustion attacks is correct.
It seems that Cisco devices never store more than 512 INCOMPLETE entries in their neighbor cache, regardless of the actual number of NS packets sent out (and missing their respective NAs).

Can anybody confirm similar behavior for other vendors' L3 devices or routers based on BSD/Linux/Solaris/whatever?
I tend to conclude that the actual risk of remote NCE is exaggerated in some circles, but I might have overlooked sth.
Details as for the testing I did can be found here: http://www.insinuator.net/2013/03/ipv6-neighbor-cache-exhaustion-attacks-risk-assessment-mitigation-strategies-part-1/.

Happy about any kind of feedback...



Enno Rey

*****************     TROOPERS13    ******************
** International IT Security Conference & Workshops **
***  Coming Soon / Heidelberg, Germany             ***
*****************  www.troopers.de  ******************

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474
PGP FP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

Blog: www.insinuator.net || Conference: www.troopers.de

More information about the Ipv6hackers mailing list